user manual

ManualsBrandsCisco Systems ManualsSwitchSwitch 3750-X

841

842

843

844

845

846

847

848

849

850

37-13

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 37 Configuring Network Security with ACLs

Configuring IPv4 ACLs

or access-list access-list-number

{deny | permit} protocol any any

[precedence precedence] [tos tos]

[fragments] [log] [log-input]

[time-range time-range-name]

[dscp dscp]

In access-list configuration mode, define an extended IP access list using an

abb

reviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and

an abbreviation for a destination and destination wildcard of 0.0.0.0

255.255.255.255.

You can use the an

y keyword in place of source and destination address and

wildcard.

or access-list ac

cess-list-number

{deny | permit} protocol

host so

urce host destination

[precedence precedence] [tos tos]

[fragments] [log] [log-input]

[time-range time-range-name]

[dscp dscp]

Define an extended IP access list by using an abbreviation for a source and a

source w

ildcard of source 0.0.0.0 and an abbreviation for a destination and

destination wildcard of destination 0.0.0.0.

You can use the host

keyword in place of the source and destination wildcard

or mask.

Step 2b

access-list access-list-number

{deny | permit} tcp sour

source-wildcard [operator port]

destination destination-wildcard

[operator port] [established]

[precedence precedence] [tos tos]

[fragments] [log] [log-input]

[time-range time-range-name]

[dscp dscp] [flag]

(Optional) Define an extended TCP acc

ess list and the access conditions.

Enter tcp for

Transmission Control Protocol.

The parameters are the same as those describe

d in Step 2a, with these

exceptions:

(Optional) Enter an op

erator and port to compare source (if positioned after

source source-wildcard) or destination (if positioned after destination

destination-wildcard) port. Possible operators include eq (equal), gt (greater

than), lt (less than), neq (not equal), and range (inclusive range). Operators

require a port number (range requires two port numbers separated by a space).

Enter the po

rt number as a decimal number (from 0 to 65535) or the name of a

TCP port. To see TCP port names, use the ? or see the “Configuring IP Services”

section in the “IP Addressing and Services” chapter of the Cisco IOS IP

Configuration Guide, Release 12.2. Use only TCP port numbers or names when

filtering TCP.

The other optional keywords have these meanings:

• established—Enter to match an established connection. This has the same

function as matching on the ack or rst flag.

• flag—Enter one of these flags to match by the specified TCP header bits:

ack (acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize),

or urg (urgent).

Step 2c

access-list access-list-number

{deny | permit} udp

source source-wildcard [operator

port] destination

destination-wildcard [operator

port] [precedence precedence]

[tos tos] [fragments] [log]

[log-input] [time-range

time-range-name] [dscp dscp]

(Optional) Define an extended UDP access list and the access conditions.

Enter udp for the User

Datagram Protocol.

The UDP parameters are the same as those described for TCP except that the

[oper

ator [port]] port number or name must be a UDP port number or name, and

the flag and established parameters are not valid for UDP.

Command Purpose